LPS Detail Report
The Log Processing Report Detail file is written to the logs directory of the Mediator Server service, and is named lps_detail.log. It is in standard text format, readable with any text viewer. In a default installation, the path to this file is:
%PROGRAMFILES%\LogRhythm\LogRhythm Mediator Server\logs\lps_detail.log
Report Content
The report contains a header and a section for each Log Processing Policy that is active.
The header contains information identifying the report, the date and time it was created, and the ID number of the license being used to run the Mediator Server service.
Example header:
LogRhythm Log Processing Report
Copyright 2012 LogRhythm, Inc.
Statistics Compiled on 09/26/2012 05:04 PM
LogRhythm Lic ID 646
KB Version 6.1.970.6
Mediator ID 1
Mediator Version 6.1.0.0
Stat Collection Start 09/25/2012 09:54 PM
Stat Collection End 09/26/2012 05:04 PM
Each Log Processing Policy section contains the data field (column) headers, the Log Source Type of the policy, the name of the policy, and then one line for each base-rule in the policy.
The following table provides descriptions of what each field (column) contains.
| Field | Description |
|---|---|
| Base-rule | Name of the base-rule. |
| Sort Order | Numerical string of current sort order (Auto) or static in KB. |
| Forward Events | True/False |
| Sort | Automatic (A) / Static (S) |
| Sub-rules | Number of sub-rules under the base-rule. |
| Attempts | Total number of logs compared against the base-rule and any associated sub-rules. |
% Match | Percent of the logs compared that matched the rule. |
| % Total Match | Percent of the logs matched by the rule regardless of whether the log ever hit the rule. |
| % Total Match-EWMA | The percent of the total logs processed by the policy that matched the rule as an exponentially weighted moving average. This value ages out data over an hour old so that the automatic sorting algorithm can be responsive to changes in the percentage of total logs a rule matches. |
| LPS-Regex-Total | Total Rate (LPS) at which a regex processes incoming logs. |
| LPS-Regex-Match | Total Rate (LPS) at which a regex processes incoming logs when the regex matches the log. A regex can match a log while the rule does not. Only applicable for “Pattern” base rules, where a sub-rule match is required to obtain a rule match. |
| LPS-Regex-NoMatch | Total Rate (LPS) at which a regex processes incoming logs when the regex does not match the log. |
| LPS-Rule-Total | Total rate (LPS) at which a rule processes incoming logs. |
| LPS-Rule-Match | Total rate at which a rule processes incoming logs when the rule matches the log. The regex matches the log AND the rule matches a log. A rule could have a very high regex match rate but a very slow rule match rate due to a large number of sub-rules or poorly performing sub-rules. |
| LPS-Rule-NoMatch | Total rate at which a rule processes incoming logs when the rule does not match the log. |
| LPS-Rule-NoMatch-EWMA | The total rate at which a rule processed incoming logs when the rule does not match as an exponentially weighted moving average. This value ages out data over an hour old so that the automatic sorting algorithm can be responsive to changes in the non match performance of rules. |
| MPERule ID | Unique ID number given to the base-rule - used by LogRhythm to identify MPE Rule in the Knowledge Base. |
| Regex ID | Unique ID number given to the regex. |
Keys to Understanding the Report
- A report section is prepared for each MPE policy. Rule performance is reported on within the context of a MPE policy, where the policy determines which rules are processed. One policy could have a base-rule enabled with all sub-rules enabled where the rule has extremely poor performance. Another policy could have the same base-rule enabled but with only a sub-set of available sub-rules resulting in much better performance. Because the policy determines which base-rules and associated sub-rules are processed, it is important to evaluate rule performance within the context of its associated policy.
- The report prints each base-rule and provides a count of enabled sub-rules. The base-rules are printed in the order they are processed. When a log is processed, the first rule printed is the first rule attempted, the last rule printed is the last rule attempted.
- The number of attempts per rule decreases as you go down the list. This is because if a log matches one of the above rules, it will not be processed by a lower rule.